In web applications, a user terminal exchanges data to and from a web server based on a browser platform. In general, the data transmission between a browser and a web server uses AJAX technology via an HTTP (Hypertext Transfer Protocol) channel. However, JavaScrip is an interpretive language, so there is no secrecy in algorithms, and it is not convenient to encrypt the data to be transmitted or decrypt the received data, which could lead to a risk of disclosure of the data in transmission.
The data transmission between a browser and a web server can be related to a variety of Internet services and operations, such as IM (instant messaging), online payment, online banking and securities business, etc. Taking the webIM in the IM system as an example, the characteristics of the webIM is that it does not need to download and install the client application, it can use the browser on a PC with a network connection to login to an IMweb server, and then it can access IM server cluster. Unlike a typical client application which can store some user data on a PC, information such as a buddy list, etc., is obtained from the IMweb server on each connection after login to the IMweb server or to the server cluster and transmitted in cleartext via the HTTP channel. It often cannot encrypt the information, such as a buddy list, chat records, etc., so there is the risk of disclosure of information.
In order to improve the security of data transmission, an HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) channel is often used for data transmission between a browser and a web server. The HTTPS channel is established for the purpose of security, or simply to call it a secure version of the HTTP protocol. In other words, it adds the SSL (Secure Socket Layer) into the HTTP. Thus, the foundation of HTTPS security is SSL, and its cryptographic ability completes data encryption and decryption. When a URL (Uniform Resource Locator) begins with “HTTPS:”, it means the data should be transmitted through the HTTPS channel. Further, the HTTPS protocol uses a different default port from the HTTP protocol, and has a cryptographic/authentication layer.
The existing methodologies of cryptographic data transmission generally use the HTTPS channel for data transmission all the way. The HTTPS channel encrypts and decrypts the data transmitted between the browser and the web server, so even if the data were intercepted by a capture tool on a gateway or a router during the transmission, it would not result in the disclosure of data because the capture tool cannot figure out useful information without knowing the cryptographic algorithm. FIG. 1 shows the structure of the current cryptographic system for data transmission through the web.
However, data transmission between the browser and the web server via the HTTPS channel has the following drawbacks.
The HTTPS architecture has great influence on the overall system efficiency, and its impact is roughly 10 times as much as that of the HTTP architecture. If all the HTTP architectures are replaced by the HTTPS architectures, the overall performance will be reduced by about 90%. That is, the existing architecture will significantly increase the load of the HTTPS channel and reduce the overall performance.